Data Trust Score is an innovative mandatory provision in Indian Personal Data Protection Bill 2019 which introduces measurability an accountability to the compliance initiatives of a Data Fiduciary. In this three part article, Mr M.G. Kodandaram, IRS, retired Assistant Director NACIN, analyses the legal aspects of the Data Trust Score system….. Naavi
Consequences of Data Trust Score
The much awaited Personal Data Protection Bill, 2019 (‘bill’ hereinafter for brevity) is awaiting the scrutiny of the joint parliamentary committee, who are in final leg of their consultation and finalization process. The sub-section (5) of Section 29 of the bill relating to Audit of policies and conduct of processing as a measure of transparency and accountability to be adopted by a data fiduciary specifically mandates, “A data auditor may assign a rating in the form of a data trust score (hereinafter ‘DTS’) to the data fiduciary pursuant to a data audit conducted under this section”. The bill authorises the auditor, conducting the compliance verification of a fiduciary, to measure the trust worthiness of such an entity by awarding a score to be prescribed through regulations by the Authority, as an indicator[i]. The scores so awarded should be published by the fiduciary in the notice issued to the principal[ii] and in the web maintained by the entity in the manner prescribed by the Authority[iii]. These scores should also be announced by the Authority[iv] in their public domains. This stipulation makes the DTS process, a more sensitive proposition as such scores will have huge ramification on the goodwill, investment and the service decisions in respect of such fiduciaries in the competing market place. Therefore it is of utmost importance to devise a justifiable scoring comprehensive pattern and configuration so that there is a fair approach in place for assigning the trust score.
As we are aware that the privacy of an individual is a very subjective issue and for this purpose, the levels of protection in place at the disposal of a fiduciary are not easily measurable in arithmetical terms. It is a well known principle that only those that are measurable could be gauged and monitored. Therefore one should explore for a system which could indirectly assist in assigning such a score with least scope for ambiguity or bias on the part of the compliance auditor. There is no availability of similar tool employed for this purpose elsewhere as no such prescriptions exist in other privacy laws in force around the globe. This is a unique positive approach by the Indian authors of law to stipulate such a mechanism for the first time. In view of the above facts, the quest for a fair and justifiable method for computation of the DTS becomes all the more challenging. An attempt is made here to suggest the ways that could be adopted for this purpose.
The best way to initiate the search for a fair solution, the author feels, is to examine the related provisions in the bill to find out the intentions, objectives and methods embedded in the proposed statute. The solutions should be within the substantial law and should not to transgress the stated perimeters. If any essential factors are missing, the same should be recommended to be part of the law in the making. With these thoughts in the background, the essential legal framework applicable to DTS, as available in the proposed law, or required to be incorporated in the law, if in case of such need arises, are deliberated in the further part of this article.
Impact of proposed law on stake holders
The proposed bill is going to impact every individual’s privacy in the present cyber society as all the services and activities, by the Government or by business and non-business entities, are being built around the digital technology as an essential component. In all walks of life, every citizen (you may call them as ‘netizen’) encounters the privacy issues in all types of communication with others. Therefore one can assume that the entire population residing in the country may have to be treated as ‘Principals’ of some fiduciary or processors at one stage or time. It could be a visit to a commercial centre or consultations with a doctor or an academy for education or any activity of assorted instances which cannot be narrated at length, where the Principal’s personal data are being collected and processed. Almost all the entities involved in dealing with individual’s personal matters, automatically qualify themselves as data fiduciary, unless they are either kept outside the applicability of the provisions or specifically exempted under the provisions. Now it is left to the guesstimate of the readers to assess the volumes of data and impact on managing such data. The bill places full responsibility on the data fiduciary to protect the privacy rights of the principal and any breach of this assurance make them liable for penal actions. Punitive measures for breaches and violations by the fiduciary could be initiated by the principal or the Authority, and adjudicated by the Authority and courts. In view of the above legal position, one can conclude that implementation of privacy laws is going to be a change of a massive scale and proportion. Therefore all the stake holders need to prepare sufficiently in advance, both in terms of technology and legal procedures, to absorb and follow the changes.
Legal provisions relating to DTS
Section 29(6) of the bill declares that, ‘the Authority shall, by regulations, specify the criteria for assigning a rating in the form of a data trust score having regard to the factors mentioned in sub-section (2)’. The subsection (2) specifies the criteria for assigning a data trust score which are discussed in the later part. From the stated stipulations the conclusions that could be drawn are, (i) evaluating the score is the responsibility of the privacy data auditor appointed by the Authority; (ii) such compliance audit in respect of a data fiduciary should cover the examinations and observation of the auditor under Sections 7,22,23,24 and 25 of the bill; (iii) the process for scoring are not left to the wisdom of the auditors, but are to be regulated by the Authority. Therefore there is legal necessity to notify the DTS regulations before going for implementation of the DTS provision.
The various powers of the Authority to make regulations are listed in section 94 of the bill. The Authority may, by notification[v], make regulations consistent with this Act and the rules made thereunder to carry out the provisions of this Act. The section 94 (2) lists out the matters that could be regulated, and among them the following are relevant for our discussions. “(l) the other factors to be taken into consideration under clause (g) of sub-section (2); the form and procedure for conducting audits under sub-section (3); the manner of registration of auditors under sub-section (4); criteria on the basis of which rating in the form of a data trust score may be assigned to a data fiduciary under sub-section (6) of section 29;
(g) the manner for submission of privacy by design policy under sub-section (2) of section 22.”
It must be noted that it is regulations to be made and not the rules, meaning that such matters (auditors, privacy by design and DTS) should be directly controlled and monitored by the Authority. The Authority may, by notification, make regulations consistent with this Act and rules to implement the DTS provisions.
Evaluation of fiduciary by Data Auditor
As per Section 29 of the bill, a significant data fiduciary shall get its policies and the conduct of its processing of personal data, audited annually by an independent data auditor. Further the Authority[vi] have powers vested with them to direct any data fiduciary to get an audit carried out by an appointed data auditor, if they are of the view that the data fiduciary is processing personal data in such manner that is likely to cause harm to a data principal. Therefore we can deduce that it is mandatory for all significant fiduciary to get audited annually and for others, it is the on the performance of fiduciary as observed by the Authority. However such proposals should normally be through written directions that could be part of the regulation.
The parameters to be used by a data auditor to evaluate the compliance of a data fiduciary includes, “(a) clarity and effectiveness of notices under section 7; (b) effectiveness of measures adopted under section 22; (c) transparency in relation to processing activities under section 23; (d) security safeguards adopted pursuant to section 24; (e) instances of personal data breach and response of the data fiduciary, including the promptness of notice to the Authority under section 25; (f) timely implementation of processes and effective adherence to obligations under sub-section (3) of section 28; and (g) any other matter as may be specified by regulations.” As this is an inclusive provision similar parameters could be added in the form of regulations, within the principal framework of the bill. It is the responsibility of the Authority to, not only notify the forms and procedures for conducting audits but also appoint persons with expertise in the area of information technology, computer systems, data science, data protection or privacy, possessing such qualifications, experience and eligibility having regard to factors such as independence, integrity and ability, as it may be specified by regulations, as data auditors under the Act. This provision leads to formation of a new stream of auditors specialised in privacy law and appropriate technology, after due entrance examination and personality tests that could be formulated under the regulations. This is one of the most critical aspects in effective implementation of privacy laws as such auditors are to exercise the responsibilities of compliance audit, followed by assigning DT score of the registered fiduciaries. Now we shall examine each of the above prescribed factors to explore the ways to compute the principles in the proposed DTS in the coming part.
(To be continued as part 2)
[i] sec. 22(5), PDP bill, [ii] sec. 7(1) (m), ibid, [iii] sec. 23(1) (f), ibid, [iv] sec. 49(2) (c), ibid, [v]Sec. 29 (7), ibid, [vi] Sec. 29(7), ibid
- M. G. KODANDARAM, IRS, Assistant Director, NACIN (Retd.)